W-2 Phishing Scams: What You Need to Know to Stay Secure

The IRS recently issued a warning that W-2 phishing scams are on the rise. In fact, 29,000 victims have already been claimed in 2017 to date! The attacks this year have started earlier than in previous years and are targeting a broader range of businesses. It’s time we learned how to better protect ourselves against this rampant form of fraud.

Phishing attacks have recently been targeting W-2 forms because they are a treasure trove of personal and financial information. The attackers generally pose as a company official or other trusted source when they send phishing emails. In the emails, they either ask HR to send over employees’ W-2 forms or employees to send over their own. Because phishing is a numbers game, the more emails they can send, the higher the chances they’ll get the information they want. So once they have the W-2 forms in hand, there are a variety of ways that criminals choose to exploit them, but lately there has been a rise in the filing of fraudulent tax returns. The goal in these crimes is to illegally collect tax refunds on behalf of other people.

There have been quite a few high-profile attacks over the last few years, and 2017 is shaping up to be a banner year for these phishing scams. In fact, some of these W-2 phishing scams are now coming from criminals purporting to be the IRS itself.

In some more recent attacks, phishers are asking for wire transfers in addition to W-2 forms. So it has never been more important to take strong precautionary measures and make sure your company is safe from tax-season fraud. Here are our recommendations.

Educate and Train

One of the best defenses is good employee training. Your workers can’t avoid phishing scams if they don’t know how to spot them. After the JP Morgan Chase attack in 2014, for example, the Chase IT security group decided to send out a fake phishing email to employees to gauge whether they would fall victim again. A whopping 20 percent took the bait. Yikes. It’s not just JP Morgan, though: The Verizon Data Breach Report found that around 30 percent of all employees fall for phishing attacks.

So the best place to start with securing your company against W-2 phishing attacks is to educate employees about what they look like. We recommend conducting extensive employee security training when anyone new joins your company. This is a good time to go over all kinds of best practices, but make sure to hit on what phishing attacks are, why they’re so common, and how to spot them.

In particular, let employees know they should be wary of any email asking for personal information or any other type of sensitive data. Most legitimate requests will not come through unexpected emails. Additionally, educate employees on how phishing scams use illegitimate websites. These are sites that, at first glance, appear normal but in fact have small spelling nuances (e.g., docs.google.com vs. docs.gogle.com) or letters replaced by numbers (e.g., docs.g00gle.com). Encourage employees to approach all unexpected email communications with skepticism and to build a security culture in which employees feel comfortable informing security personnel of anything that looks even slightly suspicious. It’s key to build a culture where all employees take responsibility for the security of the organization.

Use Testing Tools

After you’ve trained and educated your employees to spot phishing attempts, you’ll want to test out their new skills. These days, there are some cool programs that can help you assess where your company’s security culture stands.

For example, you can manually send a fake email or use a simulation tool like InfoSec’s Security IQ. This software sends fake phishing emails to employees, then delivers a report on their responses. The results of this can help you understand whether your current training programs are working and what areas need to be beefed up.

Monitor Continuously

Beyond people, technology can be a huge help in defending against phishing. In particular, we recommend that all organizations implement continuous security monitoring. While W-2 phishing in some cases is simply trying to steal employee information via email, in other cases phishing has a different goal. That goal may be to steal computing resources, make off with corporate IP, or access a trove of passwords and other organizational secrets. At the end of the day, the “end” is usually money, but the “means” can vary quite a bit.

To combat against phishing that goes after your infrastructure, implementing continuous monitoring will let you set up a security “baseline.” This way you can visualize what is normal for your organization and receive alerts anytime something happens that significantly deviates from normalcy. This means that, even if a phishing attempt makes it past your outer layer of defenses, if the attacker tries to use your infrastructure inappropriately, you will know right away and can take appropriate measures to shut it down.

Be the Hardest Target

Our motto at Threat Stack, as you may have heard before, is that you don’t have to outrun the bear. You just have to outrun the other people. In other words, your company doesn’t have to be the most secure company on the planet. You simply need to make bad guys’ jobs as difficult as possible. This will help ensure that they go after a different target and leave you in peace.

When it comes to phishing attacks specifically, a combination of employee training, periodic testing, and continuous security monitoring will help to make you a very unappealing target indeed.